A former, unnamed programmer for spyware maker NSO Group was indicted last week for allegedly stealing source code, disabling company security so they could load it onto a storage drive, and trying to sell it on the Dark Web for USD $50m.
Actually, that would have been a bargain: According to a translated version of the indictment (PDF), the powerful spyware’s capabilities are estimated to be worth “hundreds of millions of [US] dollars.”
The company’s products have made headlines on multiple occasions.
NSO Group, an Israeli company, sells off-the-shelf spyware that’s been called History’s Most Sophisticated Tracker Program.
One of its products, codenamed Pegasus, enables governments to send a personalized text message with an infected link to a blank page. Click on it, whether it be on an iOS or Android phone, and the software gains full control over the targeted device, monitoring all messaging, contacts and calendars, and possibly even turning on microphones and cameras for surveillance purposes.
Pegasus is supposed to be used solely by governments, to enable them to invisibly track criminals and terrorists. But once software blinks into existence, keeping it out of the hands of the wrong people can be very difficult.
One case in point came last year, when Pegasus was reportedly used to target Mexico’s “most prominent human rights lawyers, journalists and anti-corruption activists, in spite of an explicit agreement that it be used only to battle terrorists or the drug cartels and criminal groups that have long kidnapped and killed Mexicans,” as the New York Times reported.
According to Amnesty International, Pegasus has also been used in the United Arab Emirates, where the government targeted prominent activist and political dissident Ahmed Mansoor. Last month, Mansoor was sentenced to 10 years in jail and a fine of 1,000,000 Emirati Dirham (USD $272K) on charges including “insulting the UAE and its symbols.”
In short, in this epoch of epic law enforcement frustration over the encryption that increasingly bars investigators from cracking suspects’ (and surveillance targets’) devices, such powerful spyware translates into intellectual property gold.
The indictment of the alleged spyware thief was first picked up by Israeli news outlets. One of them, Globes, compared it to a Hollywood thriller:
Software worth hundreds of millions of dollars is stolen by an employee of a leading cyber security company. All the warning lights turn on during the theft and no one does anything. For about three weeks, the worker keeps the powerful weapons under the mattress in his apartment in Netanya—and no one does anything. During the period, he checks Google (yes, Google) [to find out] how he can sell the secret software, and after the test he offers to sell his weapons to a foreign party on the ‘Dark Net’—for $50 million.
That is, in truth, exactly what the indictment alleges. According to the indictment, the employee—although they’re not named in the indictment, the English translation of the document uses male pronouns to refer to the defendant, so we’ll follow suit—started working as a senior programmer in NSO Group’s offices in Herzliya in November 2017.
Years earlier, in August 2012, he had allegedly searched the internet for ways to disrupt the company’s security software. Later, he allegedly disrupted the security software so that he could transfer data between his workstation and an external drive without authorization. Then, on 29 April 2018, the programmer was summoned to a conversation with his direct manager to chat about the company’s dissatisfaction with his performance. His boss invited him to a hearing scheduled for 2 May.
After that, he allegedly made his move: according to the indictment, he copied the spyware, which Globes reports was, specifically, the infamous Pegasus tool. Then, he allegedly took the storage device and stuck it under his mattress. He Googled how to sell the hot commodity, as well as who might be interested, according to the indictment.
Then, he allegedly used the encrypted, anonymous Mail2Tor email service to hide his tracks on the dark net as he listed Pegasus for sale. The programmer allegedly tried to blur the way the tool was obtained by posing as one of a group of hackers that managed to break into NSO’s systems.
At one point, he heard from an interested, also unnamed buyer. He was no buyer, though: suspicious of the seller, the “buyer” instead reported it all to NSO.
The programmer then allegedly requested payment be made in the virtual currencies Monero, Verge and Zcash. Three days after the “buyer” requested additional details about the sale being exclusive, Israeli police arrested the programmer, before he had a chance to sell the spyware.
The government is charging the ex-employee with attempting to “maliciously cause damage to property used by armed forces,” and of actively trying to harm the security of the country. As well, he’s charged with trying to illegally sell the software without a security marketing license and of disrupting NSO’s company security operations, as well as theft by an employee.
Regardless of what you think of spyware used to target a) criminals, terrorists, and drug cartels or b) anti-corruption activists or other persecuted groups, this case illustrates (like the CIA’s Vault 7 leak and the NSA’s hack by the Shadow Brokers before it) just how hard it is to keep vulnerabilities, and the tools that exploit them, under wraps.